[Solved/Patch] pfSense (dest) -> FritzBox -> Internet <- FritzBox (src)

Hobby-Student

Hello out there,

I have a little problem, which I think is solvable… But I don't get it. I try to get my site-to-site IPsec working in both directions. The tunnel itself is etablished and working...

Like the topic says, this is the network
pfSense -> FritzBox -> Internet <- FritzBox

pfSense 2.3.1 (behind AVM FritzBox with DynDNS)

| FritzBox | 192.168.10.0/24 |
| pfSense | 10.5.1.0/24 |

FritzBox 7390 (v6.51)

| FritzBox | 192.168.100.0/24 |

FritzBox config

vpncfg {
        vpncfg_version = 1;
        connections {
                enabled = yes;
                editable = yes;
                conn_type = conntype_out;
                name = "FANCY NAME";
                boxuser_id = 0;
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "xxx"; // DynDNS hostname pfSense
                keepalive_ip = 10.5.1.1; // Server behind pfSense
                localid {
                        fqdn = "yyy"; // DynDNS hostname FritzBox 7390
                        // ipaddr = xxx.xxx.xxx.xxx; // tried public IP, but no change
                }
                remoteid {
                        fqdn = "xxx"; // DynDNS hostname pfSense
                        // ipaddr = xxx.xxx.xxx.xxx; // tried public IP, but no change
                }
                mode = phase1_mode_idp;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "zzz"; // Super secret
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.100.0; // FritzBox 7390
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 10.5.1.0; // pfSense
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
                accesslist = "permit ip any 10.5.1.0 255.255.255.0";
                app_id = 0;
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}

// EOF

pfSense Phase 1

| Key exchange version | V1 |
| Internet Protocol | IPv4 |
| Interface | WAN |
| Remote Gateway | yyy (DynDNS FritzBox 7390) |
| Description | whatever |
| Authentication Method | Mutual PSK |
| Negotiation Mode | Main |
| My identifier | Distinguished name -> xxx (DynDNS pfSense) |
| Peer identifier | Distinguished name -> yyy(DynDNS FritzBox 7390) |
| Pre-shared Key | zzz |
| Encryption Algorithm | AES -> 256bits |
| Hash Algorithm | SHA1 |
| DH Group | 2 (1024) |
| Lifetime (seconds) | 86400 |
| Disable rekey | no |
| Responder only | yes |
| NAT Traversal | Force |
| DPD | enable |
| Delay | 60 |
| Max failures | 5 |

pfSense Phase 2

| Mode | Tunnel IPv4 |
| Local Network | LAN subnet |
| NAT/BINAT Translation | none |
| Remote Network | Network -> 192.168.100.0/24 |
| Description | whatever |
| Protocol | ESP |
| Encryption Algorithm | AES -> 256bits |
| Hash Algorithms | SHA1 |
| PFS key group | off |
| Lifetime | 3600 |
| Automatically ping host | 192.168.100.254 |

Firewall Rules allow IPsec from 192.168.100.0/24 to LAN subnet.

If I use this I will always get

15[IKE] <con2000|9407>peer requested virtual IP %any
15[IKE] <con2000|9407>no virtual IP found for %any requested by 'yyy' <- DynDNS FritzBox 7390</con2000|9407></con2000|9407> 

Now I have to add

rightsourceip=192.168.100.10

to ipsec.conf and reload ipsec

Tunnel is up an I can ping from 192.168.100.0/24 to 10.5.1.0/24 (also DNS is resolvable)

–-----------------------------------------------------------------------------------
| But I can't get a ping from 10.5.0.0/24 to 192.168.100.0/24 |
–-----------------------------------------------------------------------------------

So how do I get a fully working tunnel?

Some extras
If pfSense is trying to establish the tunnel, nothing happens, because the FritzBox 7390 seems to not want to answer.
RoadWarriors are working fine since years.
All needed ports are forwared to the pfSense.

P.S.: Lifetime and security is not that important atm. Will work on this, if tunnel is working in both directions…

Hobby-Student

little update… did some modifications

/etc/inc/vpn.inc

1042 				if (count($rightsourceips)) { 
1043 					$rightsourceip = "\trightsourceip = " . implode(',', $rightsourceips) . "\n"; 
1044 				} 
1045 			}
+
+ 			if (isset($ph1ent['avmvirtualip'])) {
+				$rightsourceip = "\trightsourceip = {$ph1ent['avmvirtualip']}\n";
+			}
1046  
1047 			if (!empty($ph1ent['caref'])) { 
1048 				$ca = lookup_ca($ph1ent['caref']); 
1049 				if ($ca) { 

/conf/config.xml (somewhere in phase1)

<avmvirtualip>123.123.123.123</avmvirtualip>

(of course, "avmvirtualip" can be replaced with anything)

I think, this should be an input field in phase 1 of IPsec. Something like "Force virtualip for remote"… If devs agree, I could write a little patch to include it. Perhaps an advanced text input for more individual configs?
For me, this just needs to work the next 2 weeks. But it might be helpful to others?